Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) that was actively exploited to breach servers, with a proof-of-concept exploit publicly leaked by the ShinyHunters extortion group.
The flaw was addressed with an out-of-band security update released over the weekend, which Oracle said could be used to access “sensitive resources.”
"This Security Alert addresses vulnerability CVE-2025-61884 in Oracle E-Business Suite," reads Oracle's advisory.
"This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may allow access to sensitive resources."
However, Oracle did not disclose that the flaw was actively exploited in attacks or that a public exploit had been released.
Multiple researchers, customers, and BleepingComputer have confirmed that the security update for CVE-2025-61884 now addresses the pre-authentication Server-Side Request Forgery (SSRF) flaw used by the leaked exploit.
BleepingComputer reached out to Oracle more than six times for comment about the updates and the lack of disclosure regarding active exploitation, but received either no reply or they declined to comment.
The confusing mess of Oracle zero-days
Earlier this month, Mandiant and Google began tracking a new extortion campaign in which companies received emails claiming sensitive data had been stolen from their Oracle E-Business Suite (EBS) systems.
These emails came from the Clop ransomware operation, which has a long history of exploiting zero-day flaws in widespread data theft attacks.
... continue reading